[thirdparty/glibc.git] / nscd / selinux.c

/* SELinux access controls for nscd.
   Copyright (C) 2004-2014 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by Matthew Rickard <mjricka@epoch.ncsc.mil>, 2004.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <http://www.gnu.org/licenses/>.  */

#include "config.h"
#include <error.h>
#include <errno.h>
#include <libintl.h>
#include <pthread.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>
#include <unistd.h>
#include <sys/prctl.h>
#include <selinux/av_permissions.h>
#include <selinux/avc.h>
#include <selinux/flask.h>
#include <selinux/selinux.h>
#ifdef HAVE_LIBAUDIT
# include <libaudit.h>
#endif

#include "dbg_log.h"
#include "selinux.h"


#ifdef HAVE_SELINUX
/* Global variable to tell if the kernel has SELinux support.  */
int selinux_enabled;

/* Define mappings of access vector permissions to request types.  */
static const access_vector_t perms[LASTREQ] =
{
  [GETPWBYNAME] = NSCD__GETPWD,
  [GETPWBYUID] = NSCD__GETPWD,
  [GETGRBYNAME] = NSCD__GETGRP,
  [GETGRBYGID] = NSCD__GETGRP,
  [GETHOSTBYNAME] = NSCD__GETHOST,
  [GETHOSTBYNAMEv6] = NSCD__GETHOST,
  [GETHOSTBYADDR] = NSCD__GETHOST,
  [GETHOSTBYADDRv6] = NSCD__GETHOST,
  [GETSTAT] = NSCD__GETSTAT,
  [SHUTDOWN] = NSCD__ADMIN,
  [INVALIDATE] = NSCD__ADMIN,
  [GETFDPW] = NSCD__SHMEMPWD,
  [GETFDGR] = NSCD__SHMEMGRP,
  [GETFDHST] = NSCD__SHMEMHOST,
  [GETAI] = NSCD__GETHOST,
  [INITGROUPS] = NSCD__GETGRP,
#ifdef NSCD__GETSERV
  [GETSERVBYNAME] = NSCD__GETSERV,
  [GETSERVBYPORT] = NSCD__GETSERV,
  [GETFDSERV] = NSCD__SHMEMSERV,
#endif
#ifdef NSCD__GETNETGRP
  [GETNETGRENT] = NSCD__GETNETGRP,
  [INNETGR] = NSCD__GETNETGRP,
  [GETFDNETGR] = NSCD__SHMEMNETGRP,
#endif
};

/* Store an entry ref to speed AVC decisions.  */
static struct avc_entry_ref aeref;

/* Thread to listen for SELinux status changes via netlink.  */
static pthread_t avc_notify_thread;

#ifdef HAVE_LIBAUDIT
/* Prototype for supporting the audit daemon */
static void log_callback (const char *fmt, ...);
#endif

/* Prototypes for AVC callback functions.  */
static void *avc_create_thread (void (*run) (void));
static void avc_stop_thread (void *thread);
static void *avc_alloc_lock (void);
static void avc_get_lock (void *lock);
static void avc_release_lock (void *lock);
static void avc_free_lock (void *lock);

/* AVC callback structures for use in avc_init.  */
static const struct avc_log_callback log_cb =
{
#ifdef HAVE_LIBAUDIT
  .func_log = log_callback,
#else
  .func_log = dbg_log,
#endif
  .func_audit = NULL
};
static const struct avc_thread_callback thread_cb =
{
  .func_create_thread = avc_create_thread,
  .func_stop_thread = avc_stop_thread
};
static const struct avc_lock_callback lock_cb =
{
  .func_alloc_lock = avc_alloc_lock,
  .func_get_lock = avc_get_lock,
  .func_release_lock = avc_release_lock,
  .func_free_lock = avc_free_lock
};

#ifdef HAVE_LIBAUDIT
/* The audit system's netlink socket descriptor */
static int audit_fd = -1;

/* When an avc denial occurs, log it to audit system */
static void
log_callback (const char *fmt, ...)
{
  if (audit_fd >= 0)
    {
      va_list ap;
      va_start (ap, fmt);

      char *buf;
      int e = vasprintf (&buf, fmt, ap);
      if (e < 0)
	{
	  buf = alloca (BUFSIZ);
	  vsnprintf (buf, BUFSIZ, fmt, ap);
	}

      /* FIXME: need to attribute this to real user, using getuid for now */
      audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
				  NULL, getuid ());

      if (e >= 0)
	free (buf);

      va_end (ap);
    }
}

/* Initialize the connection to the audit system */
static void
audit_init (void)
{
  audit_fd = audit_open ();
  if (audit_fd < 0
      /* If kernel doesn't support audit, bail out */
      && errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
    dbg_log (_("Failed opening connection to the audit subsystem: %m"));
}


# ifdef HAVE_LIBCAP
static const cap_value_t new_cap_list[] =
  { CAP_AUDIT_WRITE };
#  define nnew_cap_list (sizeof (new_cap_list) / sizeof (new_cap_list[0]))
static const cap_value_t tmp_cap_list[] =
  { CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID };
#  define ntmp_cap_list (sizeof (tmp_cap_list) / sizeof (tmp_cap_list[0]))

cap_t
preserve_capabilities (void)
{
  if (getuid () != 0)
    /* Not root, then we cannot preserve anything.  */
    return NULL;

  if (prctl (PR_SET_KEEPCAPS, 1) == -1)
    {
      dbg_log (_("Failed to set keep-capabilities"));
      error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
      /* NOTREACHED */
    }

  cap_t tmp_caps = cap_init ();
  cap_t new_caps = NULL;
  if (tmp_caps != NULL)
    new_caps = cap_init ();

  if (tmp_caps == NULL || new_caps == NULL)
    {
      if (tmp_caps != NULL)
	cap_free (tmp_caps);

      dbg_log (_("Failed to initialize drop of capabilities"));
      error (EXIT_FAILURE, 0, _("cap_init failed"));
    }

  /* There is no reason why these should not work.  */
  cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list,
		(cap_value_t *) new_cap_list, CAP_SET);
  cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list,
		(cap_value_t *) new_cap_list, CAP_SET);

  cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list,
		(cap_value_t *) tmp_cap_list, CAP_SET);
  cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list,
		(cap_value_t *) tmp_cap_list, CAP_SET);

  int res = cap_set_proc (tmp_caps);

  cap_free (tmp_caps);

  if (__glibc_unlikely (res != 0))
    {
      cap_free (new_caps);
      dbg_log (_("Failed to drop capabilities"));
      error (EXIT_FAILURE, 0, _("cap_set_proc failed"));
    }

  return new_caps;
}

void
install_real_capabilities (cap_t new_caps)
{
  /* If we have no capabilities there is nothing to do here.  */
  if (new_caps == NULL)
    return;

  if (cap_set_proc (new_caps))
    {
      cap_free (new_caps);
      dbg_log (_("Failed to drop capabilities"));
      error (EXIT_FAILURE, 0, _("cap_set_proc failed"));
      /* NOTREACHED */
    }

  cap_free (new_caps);

  if (prctl (PR_SET_KEEPCAPS, 0) == -1)
    {
      dbg_log (_("Failed to unset keep-capabilities"));
      error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
      /* NOTREACHED */
    }
}
# endif /* HAVE_LIBCAP */
#endif /* HAVE_LIBAUDIT */

/* Determine if we are running on an SELinux kernel. Set selinux_enabled
   to the result.  */
void
nscd_selinux_enabled (int *selinux_enabled)
{
  *selinux_enabled = is_selinux_enabled ();
  if (*selinux_enabled < 0)
    {
      dbg_log (_("Failed to determine if kernel supports SELinux"));
      exit (EXIT_FAILURE);
    }
}


/* Create thread for AVC netlink notification.  */
static void *
avc_create_thread (void (*run) (void))
{
  int rc;

  rc =
    pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
  if (rc != 0)
    error (EXIT_FAILURE, rc, _("Failed to start AVC thread"));

  return &avc_notify_thread;
}


/* Stop AVC netlink thread.  */
static void
avc_stop_thread (void *thread)
{
  pthread_cancel (*(pthread_t *) thread);
}


/* Allocate a new AVC lock.  */
static void *
avc_alloc_lock (void)
{
  pthread_mutex_t *avc_mutex;

  avc_mutex = malloc (sizeof (pthread_mutex_t));
  if (avc_mutex == NULL)
    error (EXIT_FAILURE, errno, _("Failed to create AVC lock"));
  pthread_mutex_init (avc_mutex, NULL);

  return avc_mutex;
}


/* Acquire an AVC lock.  */
static void
avc_get_lock (void *lock)
{
  pthread_mutex_lock (lock);
}


/* Release an AVC lock.  */
static void
avc_release_lock (void *lock)
{
  pthread_mutex_unlock (lock);
}


/* Free an AVC lock.  */
static void
avc_free_lock (void *lock)
{
  pthread_mutex_destroy (lock);
  free (lock);
}


/* Initialize the user space access vector cache (AVC) for NSCD along with
   log/thread/lock callbacks.  */
void
nscd_avc_init (void)
{
  avc_entry_ref_init (&aeref);

  if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0)
    error (EXIT_FAILURE, errno, _("Failed to start AVC"));
  else
    dbg_log (_("Access Vector Cache (AVC) started"));
#ifdef HAVE_LIBAUDIT
  audit_init ();
#endif
}


/* Check the permission from the caller (via getpeercon) to nscd.
   Returns 0 if access is allowed, 1 if denied, and -1 on error.  */
int
nscd_request_avc_has_perm (int fd, request_type req)
{
  /* Initialize to NULL so we know what to free in case of failure.  */
  security_context_t scon = NULL;
  security_context_t tcon = NULL;
  security_id_t ssid = NULL;
  security_id_t tsid = NULL;
  int rc = -1;

  if (getpeercon (fd, &scon) < 0)
    {
      dbg_log (_("Error getting context of socket peer"));
      goto out;
    }
  if (getcon (&tcon) < 0)
    {
      dbg_log (_("Error getting context of nscd"));
      goto out;
    }
  if (avc_context_to_sid (scon, &ssid) < 0
      || avc_context_to_sid (tcon, &tsid) < 0)
    {
      dbg_log (_("Error getting sid from context"));
      goto out;
    }

#ifndef NSCD__GETSERV
  if (perms[req] == 0)
    {
      dbg_log (_("compile-time support for database policy missing"));
      goto out;
    }
#endif

  rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;

out:
  if (scon)
    freecon (scon);
  if (tcon)
    freecon (tcon);
  if (ssid)
    sidput (ssid);
  if (tsid)
    sidput (tsid);

  return rc;
}


/* Wrapper to get AVC statistics.  */
void
nscd_avc_cache_stats (struct avc_cache_stats *cstats)
{
  avc_cache_stats (cstats);
}


/* Print the AVC statistics to stdout.  */
void
nscd_avc_print_stats (struct avc_cache_stats *cstats)
{
  printf (_("\nSELinux AVC Statistics:\n\n"
	    "%15u  entry lookups\n"
	    "%15u  entry hits\n"
	    "%15u  entry misses\n"
	    "%15u  entry discards\n"
	    "%15u  CAV lookups\n"
	    "%15u  CAV hits\n"
	    "%15u  CAV probes\n"
	    "%15u  CAV misses\n"),
	  cstats->entry_lookups, cstats->entry_hits, cstats->entry_misses,
	  cstats->entry_discards, cstats->cav_lookups, cstats->cav_hits,
	  cstats->cav_probes, cstats->cav_misses);
}

#endif /* HAVE_SELINUX */
Commit	Line	Data
74a30a58	1	/* SELinux access controls for nscd.
d4697bc9	2	Copyright (C) 2004-2014 Free Software Foundation, Inc.
74a30a58 UD	3	This file is part of the GNU C Library.
	4	Contributed by Matthew Rickard <mjricka@epoch.ncsc.mil>, 2004.
	5
	6	The GNU C Library is free software; you can redistribute it and/or
	7	modify it under the terms of the GNU Lesser General Public
	8	License as published by the Free Software Foundation; either
	9	version 2.1 of the License, or (at your option) any later version.
	10
	11	The GNU C Library is distributed in the hope that it will be useful,
	12	but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public
59ba27a6 PE	17	License along with the GNU C Library; if not, see
59ba27a6 PE	18	<http://www.gnu.org/licenses/>. */
74a30a58	19
ec23b9be	20	#include "config.h"
74a30a58 UD	21	#include <error.h>
	22	#include <errno.h>
	23	#include <libintl.h>
	24	#include <pthread.h>
	25	#include <stdarg.h>
	26	#include <stdio.h>
	27	#include <stdlib.h>
	28	#include <syslog.h>
62a8cefb	29	#include <unistd.h>
1f063dca	30	#include <sys/prctl.h>
74a30a58 UD	31	#include <selinux/av_permissions.h>
	32	#include <selinux/avc.h>
	33	#include <selinux/flask.h>
	34	#include <selinux/selinux.h>
ec23b9be	35	#ifdef HAVE_LIBAUDIT
1f063dca	36	# include <libaudit.h>
ec23b9be	37	#endif
74a30a58 UD	38
	39	#include "dbg_log.h"
	40	#include "selinux.h"
	41
	42
	43	#ifdef HAVE_SELINUX
	44	/* Global variable to tell if the kernel has SELinux support. */
	45	int selinux_enabled;
	46
	47	/* Define mappings of access vector permissions to request types. */
684ae515	48	static const access_vector_t perms[LASTREQ] =
74a30a58 UD	49	{
	50	[GETPWBYNAME] = NSCD__GETPWD,
	51	[GETPWBYUID] = NSCD__GETPWD,
	52	[GETGRBYNAME] = NSCD__GETGRP,
	53	[GETGRBYGID] = NSCD__GETGRP,
	54	[GETHOSTBYNAME] = NSCD__GETHOST,
	55	[GETHOSTBYNAMEv6] = NSCD__GETHOST,
	56	[GETHOSTBYADDR] = NSCD__GETHOST,
	57	[GETHOSTBYADDRv6] = NSCD__GETHOST,
	58	[GETSTAT] = NSCD__GETSTAT,
	59	[SHUTDOWN] = NSCD__ADMIN,
	60	[INVALIDATE] = NSCD__ADMIN,
	61	[GETFDPW] = NSCD__SHMEMPWD,
	62	[GETFDGR] = NSCD__SHMEMGRP,
	63	[GETFDHST] = NSCD__SHMEMHOST,
f7e7a396	64	[GETAI] = NSCD__GETHOST,
b21fa963 UD	65	[INITGROUPS] = NSCD__GETGRP,
	66	#ifdef NSCD__GETSERV
	67	[GETSERVBYNAME] = NSCD__GETSERV,
	68	[GETSERVBYPORT] = NSCD__GETSERV,
	69	[GETFDSERV] = NSCD__SHMEMSERV,
	70	#endif
684ae515 UD	71	#ifdef NSCD__GETNETGRP
	72	[GETNETGRENT] = NSCD__GETNETGRP,
	73	[INNETGR] = NSCD__GETNETGRP,
	74	[GETFDNETGR] = NSCD__SHMEMNETGRP,
	75	#endif
74a30a58 UD	76	};
	77
	78	/* Store an entry ref to speed AVC decisions. */
	79	static struct avc_entry_ref aeref;
	80
	81	/* Thread to listen for SELinux status changes via netlink. */
	82	static pthread_t avc_notify_thread;
	83
ec23b9be UD	84	#ifdef HAVE_LIBAUDIT
	85	/* Prototype for supporting the audit daemon */
	86	static void log_callback (const char *fmt, ...);
	87	#endif
	88
74a30a58 UD	89	/* Prototypes for AVC callback functions. */
	90	static void avc_create_thread (void (run) (void));
	91	static void avc_stop_thread (void *thread);
	92	static void *avc_alloc_lock (void);
	93	static void avc_get_lock (void *lock);
	94	static void avc_release_lock (void *lock);
	95	static void avc_free_lock (void *lock);
	96
	97	/* AVC callback structures for use in avc_init. */
	98	static const struct avc_log_callback log_cb =
	99	{
ec23b9be UD	100	#ifdef HAVE_LIBAUDIT
	101	.func_log = log_callback,
	102	#else
74a30a58	103	.func_log = dbg_log,
ec23b9be	104	#endif
74a30a58 UD	105	.func_audit = NULL
	106	};
	107	static const struct avc_thread_callback thread_cb =
	108	{
	109	.func_create_thread = avc_create_thread,
	110	.func_stop_thread = avc_stop_thread
	111	};
	112	static const struct avc_lock_callback lock_cb =
	113	{
	114	.func_alloc_lock = avc_alloc_lock,
	115	.func_get_lock = avc_get_lock,
	116	.func_release_lock = avc_release_lock,
	117	.func_free_lock = avc_free_lock
	118	};
	119
ec23b9be UD	120	#ifdef HAVE_LIBAUDIT
	121	/* The audit system's netlink socket descriptor */
	122	static int audit_fd = -1;
	123
	124	/* When an avc denial occurs, log it to audit system */
64d64de6	125	static void
ec23b9be UD	126	log_callback (const char *fmt, ...)
ec23b9be UD	127	{
62a8cefb UD	128	if (audit_fd >= 0)
	129	{
	130	va_list ap;
	131	va_start (ap, fmt);
	132
	133	char *buf;
	134	int e = vasprintf (&buf, fmt, ap);
	135	if (e < 0)
	136	{
	137	buf = alloca (BUFSIZ);
	138	vsnprintf (buf, BUFSIZ, fmt, ap);
	139	}
	140
	141	/* FIXME: need to attribute this to real user, using getuid for now */
	142	audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
	143	NULL, getuid ());
ec23b9be	144
62a8cefb UD	145	if (e >= 0)
	146	free (buf);
	147
	148	va_end (ap);
	149	}
ec23b9be UD	150	}
	151
	152	/* Initialize the connection to the audit system */
64d64de6	153	static void
ec23b9be UD	154	audit_init (void)
	155	{
	156	audit_fd = audit_open ();
62a8cefb UD	157	if (audit_fd < 0
	158	/* If kernel doesn't support audit, bail out */
	159	&& errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
9b07a801	160	dbg_log (_("Failed opening connection to the audit subsystem: %m"));
ec23b9be	161	}
1f063dca UD	162
	163
	164	# ifdef HAVE_LIBCAP
	165	static const cap_value_t new_cap_list[] =
	166	{ CAP_AUDIT_WRITE };
	167	# define nnew_cap_list (sizeof (new_cap_list) / sizeof (new_cap_list[0]))
	168	static const cap_value_t tmp_cap_list[] =
	169	{ CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID };
	170	# define ntmp_cap_list (sizeof (tmp_cap_list) / sizeof (tmp_cap_list[0]))
	171
	172	cap_t
	173	preserve_capabilities (void)
	174	{
	175	if (getuid () != 0)
	176	/* Not root, then we cannot preserve anything. */
	177	return NULL;
	178
	179	if (prctl (PR_SET_KEEPCAPS, 1) == -1)
	180	{
	181	dbg_log (_("Failed to set keep-capabilities"));
	182	error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
	183	/* NOTREACHED */
	184	}
	185
	186	cap_t tmp_caps = cap_init ();
9d9febc7	187	cap_t new_caps = NULL;
1f063dca UD	188	if (tmp_caps != NULL)
	189	new_caps = cap_init ();
	190
	191	if (tmp_caps == NULL \|\| new_caps == NULL)
	192	{
	193	if (tmp_caps != NULL)
e1f0c5bc	194	cap_free (tmp_caps);
1f063dca UD	195
	196	dbg_log (_("Failed to initialize drop of capabilities"));
	197	error (EXIT_FAILURE, 0, _("cap_init failed"));
	198	}
	199
	200	/* There is no reason why these should not work. */
e1f0c5bc UD	201	cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list,
	202	(cap_value_t *) new_cap_list, CAP_SET);
	203	cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list,
	204	(cap_value_t *) new_cap_list, CAP_SET);
	205
	206	cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list,
	207	(cap_value_t *) tmp_cap_list, CAP_SET);
	208	cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list,
	209	(cap_value_t *) tmp_cap_list, CAP_SET);
1f063dca UD	210
	211	int res = cap_set_proc (tmp_caps);
	212
	213	cap_free (tmp_caps);
	214
a1ffb40e	215	if (__glibc_unlikely (res != 0))
1f063dca UD	216	{
1f063dca UD	217	cap_free (new_caps);
11bf311e	218	dbg_log (_("Failed to drop capabilities"));
1f063dca UD	219	error (EXIT_FAILURE, 0, _("cap_set_proc failed"));
	220	}
	221
	222	return new_caps;
	223	}
	224
	225	void
	226	install_real_capabilities (cap_t new_caps)
	227	{
	228	/* If we have no capabilities there is nothing to do here. */
	229	if (new_caps == NULL)
	230	return;
	231
	232	if (cap_set_proc (new_caps))
	233	{
	234	cap_free (new_caps);
	235	dbg_log (_("Failed to drop capabilities"));
	236	error (EXIT_FAILURE, 0, _("cap_set_proc failed"));
	237	/* NOTREACHED */
	238	}
	239
	240	cap_free (new_caps);
	241
	242	if (prctl (PR_SET_KEEPCAPS, 0) == -1)
	243	{
	244	dbg_log (_("Failed to unset keep-capabilities"));
	245	error (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
	246	/* NOTREACHED */
	247	}
	248	}
	249	# endif /* HAVE_LIBCAP */
ec23b9be	250	#endif /* HAVE_LIBAUDIT */
74a30a58 UD	251
	252	/* Determine if we are running on an SELinux kernel. Set selinux_enabled
	253	to the result. */
	254	void
	255	nscd_selinux_enabled (int *selinux_enabled)
	256	{
	257	*selinux_enabled = is_selinux_enabled ();
	258	if (*selinux_enabled < 0)
	259	{
	260	dbg_log (_("Failed to determine if kernel supports SELinux"));
	261	exit (EXIT_FAILURE);
	262	}
	263	}
	264
	265
	266	/* Create thread for AVC netlink notification. */
	267	static void *
	268	avc_create_thread (void (*run) (void))
	269	{
	270	int rc;
	271
	272	rc =
	273	pthread_create (&avc_notify_thread, NULL, (void () (void *)) run, NULL);
	274	if (rc != 0)
	275	error (EXIT_FAILURE, rc, _("Failed to start AVC thread"));
	276
	277	return &avc_notify_thread;
	278	}
	279
	280
	281	/* Stop AVC netlink thread. */
	282	static void
	283	avc_stop_thread (void *thread)
	284	{
	285	pthread_cancel ((pthread_t ) thread);
	286	}
	287
	288
	289	/* Allocate a new AVC lock. */
	290	static void *
	291	avc_alloc_lock (void)
	292	{
	293	pthread_mutex_t *avc_mutex;
	294
	295	avc_mutex = malloc (sizeof (pthread_mutex_t));
	296	if (avc_mutex == NULL)
	297	error (EXIT_FAILURE, errno, _("Failed to create AVC lock"));
	298	pthread_mutex_init (avc_mutex, NULL);
	299
	300	return avc_mutex;
	301	}
	302
	303
	304	/* Acquire an AVC lock. */
	305	static void
	306	avc_get_lock (void *lock)
	307	{
	308	pthread_mutex_lock (lock);
	309	}
	310
	311
	312	/* Release an AVC lock. */
	313	static void
	314	avc_release_lock (void *lock)
315	{
316	pthread_mutex_unlock (lock);
317	}
318
319
320	/* Free an AVC lock. */
321	static void
322	avc_free_lock (void *lock)
323	{
324	pthread_mutex_destroy (lock);
325	free (lock);
326	}
327
328
329	/* Initialize the user space access vector cache (AVC) for NSCD along with
330	log/thread/lock callbacks. */
331	void
332	nscd_avc_init (void)
333	{
334	avc_entry_ref_init (&aeref);
335
336	if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0)
337	error (EXIT_FAILURE, errno, _("Failed to start AVC"));
338	else
339	dbg_log (_("Access Vector Cache (AVC) started"));
ec23b9be UD	340	#ifdef HAVE_LIBAUDIT
	341	audit_init ();
	342	#endif
74a30a58 UD	343	}
	344
	345
	346	/* Check the permission from the caller (via getpeercon) to nscd.
	347	Returns 0 if access is allowed, 1 if denied, and -1 on error. */
	348	int
	349	nscd_request_avc_has_perm (int fd, request_type req)
	350	{
	351	/* Initialize to NULL so we know what to free in case of failure. */
	352	security_context_t scon = NULL;
	353	security_context_t tcon = NULL;
	354	security_id_t ssid = NULL;
	355	security_id_t tsid = NULL;
	356	int rc = -1;
	357
	358	if (getpeercon (fd, &scon) < 0)
	359	{
	360	dbg_log (_("Error getting context of socket peer"));
	361	goto out;
	362	}
	363	if (getcon (&tcon) < 0)
	364	{
	365	dbg_log (_("Error getting context of nscd"));
	366	goto out;
	367	}
1945c96f UD	368	if (avc_context_to_sid (scon, &ssid) < 0
1945c96f UD	369	\|\| avc_context_to_sid (tcon, &tsid) < 0)
74a30a58 UD	370	{
	371	dbg_log (_("Error getting sid from context"));
	372	goto out;
	373	}
	374
7fe4e0e8 UD	375	#ifndef NSCD__GETSERV
	376	if (perms[req] == 0)
	377	{
	378	dbg_log (_("compile-time support for database policy missing"));
	379	goto out;
	380	}
	381	#endif
	382
74a30a58 UD	383	rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
	384
	385	out:
	386	if (scon)
	387	freecon (scon);
	388	if (tcon)
	389	freecon (tcon);
	390	if (ssid)
	391	sidput (ssid);
	392	if (tsid)
	393	sidput (tsid);
	394
	395	return rc;
	396	}
	397
	398
	399	/* Wrapper to get AVC statistics. */
	400	void
	401	nscd_avc_cache_stats (struct avc_cache_stats *cstats)
	402	{
	403	avc_cache_stats (cstats);
	404	}
	405
	406
	407	/* Print the AVC statistics to stdout. */
	408	void
	409	nscd_avc_print_stats (struct avc_cache_stats *cstats)
	410	{
	411	printf (_("\nSELinux AVC Statistics:\n\n"
	412	"%15u entry lookups\n"
	413	"%15u entry hits\n"
	414	"%15u entry misses\n"
	415	"%15u entry discards\n"
	416	"%15u CAV lookups\n"
	417	"%15u CAV hits\n"
	418	"%15u CAV probes\n"
	419	"%15u CAV misses\n"),
	420	cstats->entry_lookups, cstats->entry_hits, cstats->entry_misses,
	421	cstats->entry_discards, cstats->cav_lookups, cstats->cav_hits,
	422	cstats->cav_probes, cstats->cav_misses);
	423	}
	424
74a30a58	425	#endif /* HAVE_SELINUX */